General Best Practice for role-based security
From: Frank J (FrankJ_at_discussions.microsoft.com)
Date: Wed, 16 Jun 2004 11:11:57 -0700
We are design an intranet web application backed by centralized SQL DB.
After user login, depending on the deptartment, role(manager, employee, data operator) web page will show/or not show certain sections.
Most important, within one page, based on the role of login-user, some functions will hide/show from the user. For example, an account dept. employee shouldn't see client login password, while customer service cannot delete client account. i.e. for a simple page like client info, there will be so many variants. How can I avoid creating redundent user interface for a same information?
I believe this is an common issue and am looking for best practices. How do I get started? Is there any whitepaper or sample available?